CVE-2026-27608
Received Received - Intake
Authorization Bypass in Parse Dashboard AI Agent API Enables Privilege Escalation

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and can supply write permissions in the request body to perform write and delete operations. Only dashboards with `agent` configuration enabled are affected. The fix in version 9.0.0-alpha.8 adds per-app authorization checks and restricts read-only users to the `readOnlyMasterKey` with write permissions stripped server-side. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27608
EUVD
EUVD-2026-8591
Affected Vendors & Products
Showing 135 associated CPEs
Vendor Product Version / Range
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.3.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.4.0
parseplatform parse_dashboard 7.5.0
parseplatform parse_dashboard 7.5.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 7.6.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.0.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.0
parseplatform parse_dashboard 8.1.1
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.2.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.3.0
parseplatform parse_dashboard 8.4.0
parseplatform parse_dashboard 8.4.1
parseplatform parse_dashboard 8.4.1
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 8.5.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
parseplatform parse_dashboard 9.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27608 is a critical vulnerability in the parse-dashboard npm package affecting versions 7.3.0-alpha.42 through 9.0.0-alpha.7. The issue is due to a missing authorization check on the AI Agent API endpoint (POST /apps/:appId/agent). Authenticated users scoped to specific apps can exploit this by changing the app ID in the URL to access any other app's agent endpoint without proper authorization."}, {'type': 'paragraph', 'content': 'Additionally, read-only users are incorrectly granted the full master key instead of a restricted read-only master key, allowing them to perform unauthorized write and delete operations by supplying write permissions in the request body.'}, {'type': 'paragraph', 'content': 'This vulnerability only affects dashboards with the agent configuration enabled. The fix, introduced in version 9.0.0-alpha.8, adds per-app authorization checks and restricts read-only users to the readOnlyMasterKey, stripping any write permissions server-side. As a workaround, removing the agent configuration block from the dashboard configuration prevents exposure.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have severe impacts because unauthorized users can access and manipulate data of any app managed by the dashboard. Authenticated users scoped to one app can access other apps' agent endpoints without permission."}, {'type': 'paragraph', 'content': 'Read-only users can escalate their privileges by obtaining the full master key instead of a restricted one, enabling them to perform write and delete operations. This can lead to unauthorized data modification or deletion.'}, {'type': 'paragraph', 'content': 'The vulnerability has a CVSS v4 base score of 9.3 (Critical), indicating high impact on confidentiality and integrity, though availability is not affected.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized access to the AI Agent API endpoint (POST /apps/:appId/agent) by modifying the app ID in the URL. Detection can focus on monitoring requests to this endpoint for unusual app ID changes or unauthorized access attempts.'}, {'type': 'paragraph', 'content': "You can detect potential exploitation by inspecting logs or network traffic for POST requests to /apps/:appId/agent where the appId parameter does not match the authenticated user's authorized apps."}, {'type': 'paragraph', 'content': 'Suggested commands include using tools like curl or network monitoring utilities to check for unauthorized access patterns. For example:'}, {'type': 'list_item', 'content': 'Use curl to test access to the agent endpoint with different app IDs: curl -X POST https://your-dashboard-domain/apps/otherAppId/agent -H "Authorization: Bearer <token>" -d \'{}\''}, {'type': 'list_item', 'content': "Check server logs for POST requests to /apps/:appId/agent with app IDs outside the user's scope."}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., Wireshark, tcpdump) to capture and analyze traffic targeting the /apps/:appId/agent endpoint.'}] [1]

Mitigation Strategies

To mitigate this vulnerability immediately, remove the agent configuration block from your Parse Dashboard configuration. Dashboards without the agent configuration are not affected by this issue.

Additionally, upgrade your parse-dashboard package to version 9.0.0-alpha.8 or later, where the fix includes per-app authorization checks and restrictions on read-only users to prevent unauthorized write and delete operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27608. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart